Kelsey Hightower: And make sure you ping me offline… Me being at Google, I love this authentic advertisement for Google Cloud right now. This is totally legit, I appreciate it. But we can definitely help you in terms of credits for the community; we definitely don’t want you to bare too much of the cost for something that really feels community-oriented. It kind of speaks in the spirit of Golang itself. GopherCon, this show, all these things we do as a community – I’ve seen it in other projects as well, so I can’t say it’s unique to Go, but it’s really refreshing to see the amount of collaboration between you and Ashley, who have never met in person, but yet you guys pulled off this particular service just so people can actually build gophers of themselves. I think that’s fantastic.

Haroon Meer: Yeah, I’ll tell you two interesting versions of that. The one is - and I feel strongly on this - is one of the original sins of the security industry is them promising too much, and trying to be too much. And sometimes people need to be able to say “Yeah, we don’t do that.” Like “Yeah, we wouldn’t catch that.” If you know where all the Canaries are, and you don’t touch them – like, you know where all the tripwires are; that stuff’s not gonna catch you. And I think people should be okay with saying that. And our pitch to try to mitigate against that is that we want to make things that are easy enough to deploy, that a person can deploy it without letting the whole company know “Hey, here’s what I’m doing. We’re doing this Canary rollout.” Like, literally, go plug it in, forget about it. It’s in that corner. It doesn’t need huge shenanigans.

And Canary tokens add trickiness, just because they could be anywhere, and they could be – we’ve given a few talks on Canary tokens, because some of them are really dependent on how tricky the security team wants to be. So some of them are obvious, like that AWS API key that I mentioned. But we’ve got another one, for example, that’s a legit WireGuard endpoint. And so you take your CEOs phone, and you add a WireGuard tunnel on his phone that says “Secret exec network 123.” And you forget about it. And what you’re waiting for is when he gets his phone compromised, when he’s going through customs into China, when that phone gets grabbed, it’s the sort of thing that an attacker who you’re interested in looks at it and goes “I see. I’ll use this endpoint. I’ll check what this is.” And our pitch is, if we can make those things easy enough to do, then security teams can do them.

And so if you take – I know lots of vendors use it, but if you take people having their SolarWinds moment, where attackers have compromised the build server deep in a network, and the only time they find out about it is after the attackers used the build server to build new software that’s been deployed to all of their customers, that sort of attacker who finds AWS credentials on that machine has to try to use them. Because maybe that’s SolarWind’s cloud environment. Or if they find a VPN endpoint on that machine, they’ve got to see what’s at the other end of it. Which means in week one you get notified that a machine nobody should be touching is doing strange things, instead of waiting till you read about it on CNN. And mostly that’s our pitch, is “Do this now, forget about it. It will be good for you.”

Jerod Santo: Yeah. So probably I’m at like 94% now… And then here comes an issue, issue number 393 hit our GitHub issues, which we’ll link up… Newsletter links proxy encodes special URLs with HTML instead of percent based. This is a tiny little bug that was just interesting to me.

[51:59] So what happened is, in our Changelog weekly newsletter, which goes out every Sunday morning, it includes all the shows from that week, every episode we put out, as well as all the news and the links and the repos and the commentary for the week, we linked to Chris Manson’s post called It’s All Gravy. And his website is Chris.manson.ie, probably because he loves Internet Explorer, and then /it’s-all-gravy… Only it’s is a contraction, right? So, it’s, it apostrophe s. And the son of a gun left the apostrophe in there. Now, I’m giving him a hard time, because I know Chris, he’s a JS Party listener, hangs out in the chat… And he left that apostrophe in the URL. First of all, isn’t that just like, blasphemous right there, having an apostrophe in your clean URLs, people?

But what happened with that apostrophe is the way that we encode that creates the HTML encoding instead of percent-based, which you’d expect in the URL, which caused people that clicked on that link in our newsletter to go to a web page, which was a 404, because it was incorrect.

Now, certain browsers actually manage it okay, and the apostrophe looks fine in the address bar and everything, which I thought was kind of interesting. And so I thought, “Here’s a bug I should chase down, while not working on these uploads to the cloud branch that I’m supposed to be working on…” And so I started to figure out - okay, mystery time… What is going on here?

So I dive into our codebase and I find the line of code in question, and everything looks legit to me, and then I realize, okay, I’m calling this Phoenix… So we are an Elixir/Phoenix application, for those who haven’t been following along the whole time… And at a certain point, we call into Phoenix. And Phoenix has an HTML library that generates HTML, and there’s a function called link… So if you’re familiar with – every web framework has like a link function; linkto was Rails’ invention, which everybody’s pretty much copied. Phoenix’s link works very similarly. So all we’re doing is calling that and just passing it the URL, which has the apostrophe in it.

So I started digging a little deeper, and I started thinking, it’s like, “Whatever is happening is outside of my domain, right? It’s a dependency that’s doing it.” So I don’t know, Gerhard… What do you do in this circumstance? You’ve got a dependency that’s not doing something totally right? What’s your first move? I guess you’re more of an ops guy, so maybe your developer chops are maybe rusty, but what’s your instinct?

Derek Collison: I think that’s a great question… And like I said, I took a stance for probably almost 20 years, of “Oh no, just use whatever you’re gonna use.” I really wouldn’t even engage with people, because it would be a two-hour conversation. I would still probably lose the argument at the end, so to speak.

What’s happening now is that things are kind of coming back to it. So just to level-set - one of the things that I care deeply about with messaging systems is a couple things… And it’s not about messaging, especially not about the message broker from the ’90s type stuff; we need to not think of it like that. We need to think of it as a ubiquitous technology, kind of like network elements.

I was around when there was a single cable, and if you ever kicked the terminator cap off the end, it took the whole network down… And I saw the birth of hubs, and switches, and smart switches, and top of rack, and all the crazy network elements that we have… And just as well, a modern system needs to be doing that similarly. But to start out with - the first thing it does is it says “I am gonna do addressing and discovery not based on an IP import, but on something else.” You can call it a channel, a topic, a subject - I really don’t care what you call it.

Now, again, for a while, people were like “Why? This doesn’t make any sense.” But in today’s cloud-native world, I would argue what everyone is doing today makes no sense. We struggled so hard to change servers from pet to cattle, and yet we’re still saying “Oh, I wanna talk to Johnny’s service, so I need to know the notion of an IP port.” Now, I know what the audience is probably thinking, and I’ll walk through an example of what this really looks like in practice.

The other thing too is that messaging systems, when they do that abstraction, a lot of people call it pub/sub. And we still call it pub/sub, but again, we’ve gone away from that, because it’s kind of got a bad rep. But what I mean by pub/sub is that if the technology can understand multiple messaging patterns - one to one, one to N, m to N, and then one to one of N, meaning I can automatically say “Hey, I wanna send a message and only one of you in this set will receive it.” That’s kind of what NATS does at the very basic levels…

And folks always ask and they go “Oh, I just don’t need any of that stuff”, and I say “Okay, a couple things… One, decoupling is good.” Pets versus cattle was legit; let’s make sure our connected technologies follow the same path, and don’t say “No, no, this one’s special”, whether it’s an individual server, or a load balancer, or a special host… It just makes no sense in a modern world. So we push down on those things and we say “Okay, got it.”

[16:18] The last piece of advice I always give people from the ‘90s is “Never assume what a message…” - and a message could be a request, it could be data events, all kinds of stuff. But “never assume what the message is gonna be used for tomorrow.” So everyone kind of looks at me and says “What does that mean?” and I say “Okay, I’ll give you a really simple example.” When we talk about NATS these days, with a very fortunate, growing user base, and all kinds of crazy interest from customers and clients these days, is - modern architectures, distributed architectures are built using connected patterns, and there’s really only two. There’s lots of nuances to it, but there’s two. It’s either a stream or it’s a service.

The service is I ask a question, I get an answer, and a stream is I’m just sending a piece of data, and then I don’t care. And to level-set, distributed systems, even up to a couple years ago, were dominated - 98%+ of everything was a service interaction. I’m not saying it has to be synchronous, but everything was “I’m asking a question and getting an answer.” HTTP is “I ask a question and I get an answer” type stuff. So I said “Fine, on day one you know who’s gonna be answering that question.” So you coded up so that I’m gonna send a question to Mat, Mat’s gonna respond back with an answer. And you’re doing it on your laptop, and you use HTTP, or gRPC, or whatever, and you’re like “That’s all I need.” I go “Great.”

Let’s not even get to the point of anyone else being interested in the message. Just to start with “Okay, let’s go to production.” Well, we need more than one map. Oh, crap. Now we need a load balancer. Well, now we need to put stuff in, and do DNS… And that’s fine; production can handle that. I don’t have to worry about that. So then they do health checks, and then they have to figure out rerouting, and all this stuff… And all these big companies have playbooks on exactly how they do it, and they all look very similar, but they’re all slightly different.

Now let’s say someone says “Hey, for compliance we need to be able to watch all requests and we need to record them.” Now all of a sudden you’re gonna have to put a logger, and you don’t want the logger in place of a request-response, which is a massive anti-pattern I see being proliferated these days. It’s like “Oh, no… Put a messaging system in between it, and store it on disk, and try to retry, and stuff like that, in line with the microservice, in line with the service interaction. I’m hyped up on Red Bull, but that’s the dumbest thing I’ve ever heard. It’s like Google saying “We’re gonna write all the log entries before we return your search results.” It’s just foolish, no one would ever do that. But there’s a need to say “Hey, I need to be able to write these things down, and someone else is gonna look for anomaly detection, or any type of policy enforcement, whatever it is.

So look at that system when you’re getting to the end of the day, and now let’s say we actually wanna spread it out from East Coast to West Coast, to Europe, and you need Anycast, and DNS, and all kinds of crazy stuff and coordination on the backend of state. They become really complicated, and they’re trying to get around the fact that everything is just point-to-point; it is naturally a one-to-one conversation. Whereas with a messaging system, you write it, you run it in that server, let’s say, or whatever, but think of the NATS server is extremely lightweight. It can run on a Raspberry Pi, in your top of the rack switch, you can run it in your home router, you can plug and play and put these things together in any arbitrarily complex topology that spans the globe… And that’s another discussion on distributed systems that aren’t really distributed.

So you set it up on your laptop and you run the NATS server. Its Docker image has been downloaded 150 million times… It just runs. For example, a subsystem of GE doing nuclear stuff runs our server for two years at a time, with no monitoring, no anything. And when they come in to change things inside of that nuclear reactor type stuff, they shut it down and figure out if they wanna upgrade it or not.

[19:59] So it’s lightweight, it’s always there, it’s ubiquitous, it just works. So now all of a sudden you write the same program, you’re sending a request, getting a response, doing it on your laptop… I would argue you’ll take the same amount of time, or possibly less, but it’s on the same level. You do have to run the server.

But now when you go to the next level of production - I need more mats. Well, just run more NATS – I mean, maths, not NATS. “Oh, well do I have to put in deployment a framework like Kubernetes and a service mesh?” No. I don’t care how you run them. Run them on bare metal, in a VM, in a container, in Kubernetes… It does not matter, run them anywhere. The system automatically reacts.

By the way, you haven’t configured anything on a NATS server yet, ever. Now, all of a sudden you’re like “Okay, well what happens if I wanna do compliance and I need to watch all the requests coming in?” Just start a listener for it. It’s got all of those patterns built in, so there’s nothing changing between me who’s asking the request and Mat who’s giving the response; we have to change. As a matter of fact, we don’t even have to be brought down and restarted; we’re just running along and people can come up and bring up anomaly detection, logging… All kinds of stuff.

So as you keep making these systems more production-ready and complex, you realize that messaging gives a huge win over the other ones. Now, the other ones are kind of known. People know how to put up load balancers, and know how to do logging, and know how to do all this stuff… But when you see something running on a service mesh and you haven’t even sent a single request check and you’re spending $6,000 a month… And I can show you, we can do 60,000 requests a second, with all of the servers latency tracking, all transparently, doing it for real, and it runs on a Raspberry Pi… That also translates to OpEx savings, which is a big deal.

NATS has always been known for how fast it is, but most people tell me “But we don’t need to go that fast. We don’t need to have a server doing 80 to 100 million messages a second.” And I go “I know”, but if you think about it, if you take that same thing for your workload and put it in the cloud, you can save 80% on your OpEx budget.

So do people need messaging systems to build stuff? Of course not, because everything for the most part is built on essentially HTTP, which again, is an interesting one to me, unpopular opinion… But I know why we did it that way, and we don’t have a reason to do it that way anymore and get it stuck, right?

The notion of client-server or request/response in the old days was the requester and the responder were usually inside the same network firewall… Not firewall specifically, but essentially we’re inside the company. And everyone started to say “Hey, I want the requesters, whatever those things are, to be able to walk outside of the corporate network.” So all of a sudden people started doing this, they go “We can’t get through the firewall”, and the firewall people, or the old DB people, they go “No.” It doesn’t matter what you ask them, they say no.

So people kind of went “Wait a minute… Port 80 is always open. We can piggyback off that and circumvent this whole thing. So we can just do request-response on HTTP or HTTPS, and it works.” And it’s true, and I remember doing some of those tricks myself. We’re not in that world anymore; that makes no sense whatsoever to build a modern distributed system off of technology that existed for something totally different and was a workaround around security and firewall systems.

Break: [23:23]

Suz Hinton: Yeah, I can definitely share some of that. I come at edge computing from the IoT side of things, especially in Azure… So it’s particularly useful for IoT, because if you think of a whole bunch of devices out in the field, whether that’s in a building, whether that’s agricultural use, or something like that, you would normally require every single one of those devices to have its own internet connection. So it either has somewhere that it has to connect from, or it has to have some kind of SIM card in it, or even just like Wi-Fi connection capability.

What you can do instead is you can just have one edge device that sort of acts almost like – it can be a gateway in a lot of cases, and it can be doing a lot of that fielding of the telemetry coming in from the devices. So instead, the devices can all connect to this edge device. It’s responsible for authenticating, and making sure those devices are legit, and they’re allowed to connect. It can be passing telemetry back up to the cloud, and it’s the only one responsible for having to do that. It can deal with things like internet connectivity, so it can stop buffering telemetry, and things like that, and then when it back online, it can then start pushing them up.

It can also do things like run machine learning; like you said, run extra processing. So it can either run machine learning down on the edge, which means that you have a faster response time, because you’re not waiting for it to come back from the cloud… And the other side of things too is you can be filtering that information. So instead of having to rely on those other devices, which have much smaller or less powerful processing power, you can have this intermediate device, which is – again, the reason why I talk about it from the IoT perspective is you can already see how much that’s changed the IoT game, and just made a lot of this infrastructure much better as a result.

Jerod Santo: Well, even just in the fact that it’s created by three JavaScript developers, and not statisticians or professional survey takers who understand – I wouldn’t know how to put out a good survey, and putting out a good survey is very difficult to do, even if you know the means and mechanisms… So they probably were disadvantaged in the first place.

And let me just say - the name of it, “The State of JavaScript”, of course, gives it a lot of credence… But also, to their credit, the website is spectacular, and very well made, and enjoyable, and it makes the thing have more clout because of how well it’s done. It’s been done for multiple years, 20,000 respondents… It seems very legit, and that’s because they did a very good job of putting it together, so credit to all three on that, but especially Sacha Greif, who I think did the design. I just think it’s very well done.

Jared Lander: So with a linear model, the reason we made it linear is because it was a simplification so that way they could do the math. But nowadays we have more powerful computers, and most things in life don’t follow a linear relationship, they follow a non-linear relationship.

Now, when I say non-linear, that could have different meanings, depending on the technicality, but you can imagine if you had a cloud of points with a X and Y-axis - instead of fitting a straight line through those points, if you fit a step function. Maybe for the first segment it’s about a third of the way up the Y-axis; the second segment, the straight line would go two-thirds up, and the last segment - it’d be back down to the bottom of the Y-axis. That’s a simple step function that is non-linear. It doesn’t fit a nice, straight line, it doesn’t even fit a curvy linear line; it fits a step function. That’s somewhat the idea behind a tree, somewhat.

The ability to capture these non-linear relationships, regardless of the method, allows us to really model reality better. That’s why trees are really great, they have high predictive power, and why random forests and boosted trees. That’s also why deep learning is powerful, because it is non-linear. It has a lot of non-linearities.

When you’re going from your input to your first hidden layer, and then on to subsequent hidden layers, there are two steps. There is a matrix multiplication of the inputs by their weights (or coefficients) - and that’s linear. If you just did that, a deep learning model would just be a linear model. You could even stack many more layers, and if you just did these multiplications by the weights, it would just be a series of linear models, which would become one large linear model. Then you essentially have a straight line or a curvy linear line.

[20:24] But it’s that next step at each layer - the activation function. That is a non-linear function you are applying. So whether it is a tanh, or it’s a ReLU, or a sigmoid, which is just a fancy word for inverse logit, regardless of which one you’re doing, you’re doing a non-linear transformation, and that puts a non-linearity in your model, which allows you to capture more complex relationships; if you do more layers, you have more non-linearities, so you can capture really interesting separations between your data.

Adam Stacoviak: So this is a legit – this has gone from [unintelligible 01:38:31.07] quickly.

Jerod Santo: An open source alternative to Notion

Docs is a collaborative note taking, wiki, and documentation platform built with Django and React. As a result of a joint effort from the French and German governments, it is MIT-licensed with the following note in the README:

While Docs is a public driven initiative our license choice is an invitation for private sector actors to use, sell and contribute to the project.

Very cool initiative! But is it any good? I signed in to the demo (link and credentials in the newsletter) and kicked the tires for a few minutes… seems legit. Self-hostable, too!

Adam Stacoviak: The best pecans you’ll ever have. You can just get the pecans for Christmas if you want. You can get a bag, or you can get the chocolate-covered ones. Whichever flavor you want to go with, but their pecans are legit the best pecans ever. This is not sponsored, just a tried and trued, loved, beloved Texas brand called Berdoll.

Jerod Santo: Everyone knows your location

After learning of a massive data leak that exposed 2k+ apps secretly collecting geolocation data without user consent, Tim “Sh” looked into the list and found three apps he has installed on his iPhone in the list. That gave him an idea… could he track himself down externally, e.g. to buy his geolocation data leaked by some application?

So, he grabbed an old iPhone 11, restored it to factory defaults with a brand new Apple ID, set up Charles Proxy to record all traffic coming in/out, installed a single game (Stack by KetchApp), and logged all his findings. The results are troubling, but not surprising. He even made a flowchart of the data coursing its way through the network. Finishing with

This is the worst thing about these data trades that happen constantly around the world - each small part of it is (or seems) legit. It’s the bigger picture that makes them look ugly.

Jerod Santo: And so I went and downloaded this sucker. I checked it out first and made sure it was legit, because I’m like “Hm… It’s on GitHub.” Checked them out. Shout-out to Palmer Al.

Jerod Santo: Exploring a stablecoin bank

Bridget Harris goes deep on the potential of crypto stablecoins to disrupt Visa and Mastercard’s duopoly:

Right now, Visa and Mastercard charge merchants egregious 2-3% swipe fees — which is typically their second highest cost after payroll. Sadly, smaller merchants are disproportionately hit by these swipe fees…. This is partly why Visa and Mastercard’s profit margins are each higher than 50%: small businesses have no choice but to accept Visa and Mastercard since they control 80% of the credit card market.

A stablecoin network could drop those swipe fees to essentially zero. Merchants hate swipe fees — rightfully so — and if they could opt for a lower-fee network that wouldn’t limit their TAM, they’d switch in a heartbeat.

I’ve long asked cryptocurrency bulls to point me to the killer apps. First it was ICOs, which didn’t really pan out (too many scammy founders). Then it was NFTs, which were a lot like the pogs of my youth (fun for a day or two). More recently, it’s been ~~prediction markets~~ gambling, which I admit is a legit app, just not one I’m interested in.

But, “knocking 3% off every transaction in the world”… That dog could hunt! Unfortunately, it’s also going to require government intervention, of which I’m a perma-bear.

Jerod Santo: [00:37:43.00] So this is related. It’s not a button, but it’s the area of lore. How about streetlights and cars? There have been stories of specific things you can do at particular streetlights… For instance - and I’ve been told these things. I’ve never confirmed any, but I’ve tried them all. Like flashing your brights… There’s a there’s a sensor on the top of the light, if you flash your brights at the light – if you’re the only car there, for instance, and you’re at a red light at a four-way stop, flash your brights. It will then know that you’re coming and switch it. That’s one. The other one is there’s sensors. There’s weight sensors in the concrete at the stoplight. And you have to make sure you’re on them. And if you are – this is usually for stoplights that have not much traffic, and they always stay green one direction… But when a car is there, they just flip for that car. Maybe you’re not an expert on this, Rachel, or maybe, Adam, you know… But are those just old wives tales that they might say? Or is that legit?

Adam Stacoviak: And you know, obviously, we QA’ed it, we kind of like previewed some things, but I didn’t listen to it with intention and enjoyment and motion - like, body motion - until it was on Spotify. And the moment it was, I queued it up, and legit me and the kids just danced. They mainly danced a lot. I just like moved a little, you know? They were really having a lot of fun, for like the whole thing. We just listened end to end, the entire album. It was awesome.

Autumn Nash: You were like a legit little teeny baller influencer over here.

Mat Ryer: And you quickly forget about the mics. You quickly forget you’re on a podcast, don’t you? So you end up just talking in a little group, basically. So that’s the experience. And then when it comes out, people were very shocked by exactly that. The production value, just how good it sounds when it’s in that context, how legit it sounds next to other podcasts… Yeah, people are very complimentary.

And I’m thrilled to be on it. I think, like you said, we had so many guests, we had so many different people speaking, talking about all sorts of stuff… We had more speakers than a Bang & Olufsen restaurant.

Jerod Santo: Yeah, I think that the end result of this - there’s a very real possibility that this change, while it effectively takes away shows in the short term, I think it actually might result in more, better developer pods down the road… Because we had reached our capacity, and for many years we’ve turned down ideas and opportunities because we were just maxed out. I mean, how many times has a listener requested a podcast from us about Rust? Probably a hundred, maybe slightly less… But many, many, many times. And I hate that – I don’t hate it, but I have an internal anxiety about that request, because it’s like, I just knew I couldn’t do it. We couldn’t do it under our current structure.

Now, there was another option… Like, we could grow our business, we could grow our team, we could build out that way. And I think a large part of life is knowing what you want… And I’ve lived long enough to know that I didn’t want to do that. I don’t think Adam wanted to do that. And so that wasn’t an option for us, just because we just don’t want that to be our life.

And so the other option is either stay at capacity, five shows a week… Technically it’s like seven shows a week, because The Changelog is three episodes a week. And live that life, and make those shows; and we did that for a long time, and that was a totally legit route. Or double down on the main thing, let a few of the things that we love go, and see if their love returns to us tenfold. Now, that’s just the corny saying about if you love something, let it go, right? Encourage the people who have been making those shows with us to make same, or similar, or new shows that we could support them. But independently, as their own thing, so they could have full ownership. They could have equity. And we can all podcast together, and work together, and collaborate.

[11:40] And so I’m very excited about where it’s going to go. Obviously, in the short term, it’s on the bitter end of bittersweet, especially for me. I mean, speaking very personally, JS Party is like one of my favorite things. I’ve grown very fond of that podcast, and those people, and what we do together. And Go Time very similar. I’m not on Go Time on a regular basis. I do show up from time to time, but I’m a regular on JS Party. And so just emotionally, it’s just a very hard thing to stop.

I’m very excited that Nick and Kball and Amy are going to continue podcasting together… And then I have a standing offer to join their show whenever I want and hang out. Because I just love the shows that we made together, and the times that we spent. So it’s been a hard decision… It’s been a long time coming for us. Obviously, we don’t talk about our indecisions publicly.

We talk about our decisions. But we’ve been toiling over this change, like Adam said, probably for a year. We almost did it a year ago, honestly, but we didn’t. And now we’re doing it. Sometimes you’ve just got to pull the band-aid off, you know? And it’s hard, but it feels right… And I’m excited about January, because I think it’s going to breathe some new life into our show, into these other shows… And yeah, those are my initial thoughts on it.

Jerod Santo: So those are legit numbers then. I am on wireless here, and so I think mine’s capped by my wireless network card.

Chad Whitacre: Then you put that on your domain to validate that it’s legit with your company.

Gregory Richardson: One of the things that I – and again, I’ve been in this industry for almost 40 years, so it’s pretty much the only thing I’ve done professionally, since I came out of college. So I’m very passionate about it, in case that’s not extremely evident to your audience yet. Therefore, I also tend to look at myself and my industry with a really - sometimes a bit of a harsh lens. So I’m going to say something now that might be applicable outside of cyber, but I see it from inside of cyber. And we gut ourselves. We do legit harm to ourselves by feeding – and when I say “we”, the vendors primarily… By feeding into the hypecycles and selling stuff that we know good and gosh darn well are absolute smoke and mirrors, or have limited usefulness, but they sell well. The notion of “We’re going to have an AI-powered SOC, and you’re not going to need SOC operators anymore. All these analysts, you won’t need them. You’re going to get just less analysts, because the AI is going to do all of that for you.” The more we hype that up, the more you get that Gartner hypecycle where people try it, and they go “Holy cow, this doesn’t work this way at all. I still need the humans.” The humans add, as Ismael said, context, and awareness, and situational strategy, not to mention things like morality, which AI is terrible at.

Now, can the AI do bulk volume of data processing? It absolutely can. And that’s one of the places we should lead into. I’ve touched on things like vision, and some of the more esoteric parts of AI that we don’t speak about every single day… So I’m not limiting it to prediction classification and large language models, but I’m just saying, large language models are amazing. I use them regularly for processing anything having to do with language, whether that’s code language, indicator language, or spoken/read language.

[00:34:26.18] One of my very practical things that I do with almost every piece of content I’m attempting to digest now is I try to get the audio, and I run a transcript. Send it to Whisper, send it to whatever API, give me a transcript of it, analyze the transcript for me, give me some key talking points… What are the things that I said? What are some tweetable lines that I want to broadcast out? What are some key quotes that I said? And I build my brand on social media, and I flavor my other talks with that content that I’ve said already. I’m going to do it with the talk that I’m doing right now. That’s why, in addition to as a backup, I’m also recording my own audio here, so that I can extract that.

So I use LLMs. They have utility, but they’re not the end-all panacea, “Oh, my God, they’re great. We should throw everything at an LLM.” The more we do that, I think the more we do intrinsic harm to the industry, and most importantly to our customers’ ability to defend themselves. Because the threat actors are not – at least I don’t see the threat actors out there building a hype cycle. I see them out there efficiently sharing threat intelligence, and leveraging it to build new, novel attacks, so that there’s unique ways that they can get their objective, which is monetize weaknesses in our environment. We are not as maniacally focused on our task at hand as that yet.

Break: [00:35:56.14]

Jerod Santo: For instance, I’m listening to the Founder Mode conversation right now. I’m a few weeks behind, of course, as I always am, catching up with Go Time… And Founder Mode conversation with you, Kris and Angelica - when you’re not a founder, you’re just a regular employee at an organization, how does this Paul Graham essay apply to us? And I

think it’s fine. I think that’s totally legit for a Go Time conversation, because of course, we all live in this world where we’re using our skills to make a living, or to create stuff, or to start a business, or working for a startup founder, or working in a large organization… We’re all in these different areas, and these facets all affect us. And so it’s easy to tie back to the programming language, or to the people using the programming language, because we’re all kind of in this similar lifestyle.

John Nunemaker: Because they got this amazing three-story office, and then COVID happened and they just turned into an event space, and it was killer. I mean, they had barbecue on the roof deck… Legit just making barbecue, putting it on sticks. I ate like 10 in a row, and the lady was just like “You must really like this.” And I was like “You guys are amazing.” And we became friends, you know?

Pablo Galindo: Well, one of the things that is very exciting with the JIT right now is that the approach itself is quite cool. Like, for instance, if you’re making a JIT for a dynamic language, one of the biggest challenges is not only adding the infrastructure itself for a particular CPU, or architecture, it’s that you need to do it for all of them, and for every single OS… Because at the end you’re writing machine code, and machine code depends on your CPU architecture, your platform… So the JIT is not the JIT, or as we like to call it, legit… But you need one for Windows, one for macOS, one for Linux, but also one for AMD64, one for [unintelligible 00:50:19.11] one for ARMv7… So you can imagine how hard this actually is, because you basically are implementing now a compiler.

But this approach that the brand is taking not only has the advantage that it’s basically leveraging an existing compiler behind, in this particular case LLVM, but also it’s doing it at the front. So it doesn’t happen at compile time. Like, all that assembly code has been generated before, and the only thing that we need to do at runtime is to stitch those things together. So we have these templates.

So [unintelligible 00:50:50.29] not a runtime dependency; it’s just a build time dependency. So you build all these assembly code, and it uses the native compiler for your platform. So if you’re in some forsaken platform, like, I don’t know, AAX, or something like that, it will work if you are able to run Clang there.

So that’s great… But also, which is really cool, most JITs need to also implement themselves, is that we are able to leverage an optimizing compiler for this particular workload. So not only does assembly code works for every architecture because someone else actually implemented the backend, but also, we can leverage all the optimizations that everybody that’s using LLVM is using. It’s the same optimizations that Rust is using. Rust is using LLVM these days still, and they are using – I mean, if you program the IR, the Intermediate Representation correctly, and then you are able to leverage that well, which is easier to set that done… But the idea is that now you can use these many years of compiler research just to make your code faster, and we can just leverage that immediately, as opposed to having to re-implement all those things, and have like SSA ourselves, and streaming, and all that stuff. Now you just run Clang, and you get some super-cool assembly out, and you need to just stitch it together, and [unintelligible 00:52:04.25] the symbols and whatnot, but you can get results much, much faster than if we need to implement a full-blown JIT for Python. So I’m very excited.

Jerod Santo: Yeah. I mean, at their scale it’s probably significant savings. This does sound like a private equity move, would be like to go in and cut costs; that would be one way to cut costs. Now, having said that, this is not changing the way WordPress works. This is a WP Config option that is default to on, that WP Engine, the company, defaults now to off.

And so I think you can go back in - I would hope that you go back in through their interface… Surely, you can configure your WordPress [unintelligible 01:18:31.01] and turn it back on again. But this is just totally a private equity thing to do. It’s like “Let’s cut costs. Here’s one way to do it.” And I can see where that’s a legit move by them as a business, but it also offends Matt Mullenweg as the creator of WordPress.

Autumn Nash: And the fact that you would then have so much evidence to justify getting – you know what I mean? Like, you started off wrong, but at some point you could definitely have a roundabout way of gotten enough information to make it legit.

Jordan Eldredge: I did. I had some – I feel I was mostly like… I didn’t think I had legit tapes. I had tapes that a friend copied off of his dad’s tapes, or something that…